Share this story

As many as 11 million passwords were posted online more than four months after hackers penetrated the defenses of Gamigo, a free gaming website based in Germany, according to published reports.

The list of passwords, which were scrambled using a one-way cryptographic hash algorithm, were published earlier this month to a forum on the password-cracking website Inside Pro, according to an article published Monday by Forbes. The list also contained 8.2 million unique e-mail addresses, including 3 million accounts from the US, 2.4 million accounts from Germany, and 1.3 million accounts from France.

Gamigo warned users in early March that an "attack on the Gamigo database" had exposed hashed passwords and usernames and possibly other, unspecified "additional personal data." The site required users to change their account passwords. The 11 million-password leak four months later raises the possibility that users who chose the same passwords to secure other site accounts may remain at risk, since the dump contained e-mail addresses from Gmail, Yahoo, Hotmail, IBM, Siemens, ExxonMobil, and Allianz, to name a few.

Even after removing duplicates, the number of passwords in this latest dump is among the largest seen in a public breach this year. In June, more than 6.4 million hashed passwords belonging to members of business networking website LinkedIn were posted online, and more than 1 million more passwords for eHarmony users were also exposed. While the lists were hashed, the availability of free cracking programs such as John the Ripper and Hashcat make it possible to retrieve a large percentage of most dumps in a matter of minutes or hours.

One of the largest known password leaks came in 2009, with the publication of more than 32 million plaintext passwords retrieved from online game service RockYou. Even with duplicates removed, the list included more than 14 million passwords. That list now serves as one of the key sources many crackers use to guess passwords.